Friday, April 14, 2017

Five Inmates Built Two PCs and Hacked a Prison From Within

Five Inmates Built Two PCs and Hacked a Prison From Within

Five inmates from the Marion Correctional Institution (MCI) built two computers from spare parts, hid them in the ceiling of a training room closet, and used them to hack into the prison's network.

Their actions were discovered in July 2015, when the prison's IT staff switched internal proxy servers from Microsoft to WebSense (now part of Forcepoint).

These servers, designed to monitor and report suspicious traffic, immediately started reporting issues.

Prison IT staff started receiving weird alerts

In the beginning, MCI admins received reports that the user account, belonging to a prison contractor, was exceeding daily traffic quotas. While other employees had also surpassed their daily traffic threshold, the problem was that these reports were coming in the days when that employee was off duty.

Things got weirder a few days later when admins received reports that the same employee was attempting to avoid the traffic monitoring proxies.

At this point, the prison's IT staff decided to investigate further. Their suspicion that something was wrong was confirmed moments later when they traced back the traffic to a computer with the name "-lab9-", a name inconsistent with the prison's internal computer naming scheme.

Computers hid in a closet's ceiling

The prison staff started an investigation and tracked suspicious network traffic to port 16 of a switch located in the prison's P3 training room.

Network hub located in MCI Training Room P3 [ODRC]

When they got to the switch, IT staffers followed the network cable plugged into port 16 to a nearby closet, and up into the ceiling. Removing the ceiling tiles, prison employees found two fully-working computers, placed on two pieces of plywood.

Inmates used parts from prison's recycling program

According to a report released yesterday by the Ohio Department of Rehabilitation and Correction's (ODRC), the agency says it identified the five prisoners who built the PCs.

The five inmates managed to build their two PCs because they were part of the prison's Green Initiative program where they worked in trash management and electronics recycling.

Inmates hacked prison network

A forensic analysis of the hard drives found in the two PCs found legitimate software, hacking tools, and traces of illegal activities. According to the Office of the Ohio Inspector General, the two hard drives contained:

According to investigators, the inmates used these tools to capture network traffic, move laterally in the prison's network, crack passwords for active user accounts, and use these accounts to access the prison's network.

They used this access to collect personal information for other inmates, apply for credit cards in the names of other inmates, and issued passes for other inmates.

Prison staff shares some of the blame

Following the discovery of these tools and inmates actions, the ODRC moved the suspects to other institutions in November 2015.

The Office of the Ohio Inspector General also found that MCI staffers were also at fault. First for failing to supervise inmates (who built two frickin' computers while in prison), and second for failure to force employees to change passwords every 90 days.

The findings from this investigation have been forwarded to the Marion County Prosecutor's Office and the Ohio Ethics Commission for consideration of any punishments.